Hackers Aim Arrows at Retail Bulls Eye

Cyber security breaches may come in all shapes and sizes, but thieves are honing in on the retail industry, hoping to slip through the sector’s security loopholes on the hunt for credit card numbers.

Digital evildoers have been responsible for shutting down banks' commercial websites, infiltrating the Federal Reserve, hacking into journalists’ emails and stealing phone numbers and usernames of executives and federal employees.

And that was just in the last year.

As their attacks get more sophisticated and businesses start adopting better security protocols, the food and beverage and retail industries continue to look more appetizing to cyber villains looking to take advantage of their weaker security protection and the growing number of shoppers using their mobile devices as a point of sale.

“All victims share something in common: they never thought it would happen to them,” said Christopher Pogue, director of digital forensics and incident response for Trustwave’s Spiderlabs.

With restaurants and retailers focused on customer service, critical cyber protection is often pushed to the backburner, making them incredibly lucrative targets with highly attractive returns on investment.

Trustwave SpiderLabs, which performed more than 450 data breach investigations in 19 countries in 2012, said the primary data type targeted by attackers last year was cardholder data. Information stolen from cards is quickly sold into a flourishing underground enterprise, with data being bought and sold in bundles and used in fraudulent transactions.

Retail is by far cyber criminals’ biggest target, making up 45% of total breaches in 2012, which is a 15% year-over-year increase from 2011, according to Trustwave. One of the reasons is because of the sheer number of merchants that accept electronic payments, as well as the “it won’t happen to me” mentality that has caused companies in the services and retail industries to shrug off cyber threats.

“With such a vast number of merchants accepting payment cards, and with so many available attack vectors, it is unlikely this market will change anytime soon,” Trustwave said in the report.

The food and beverage industry, which made up 24% of total breaches last year, is the second most targeted sector, according to Trustwave’s recently-released annual global security report, which analyzed data from more than two million networks, 400 web-based data breaches and more than 20 billion emails collected and analyzed from 2007 to 2012.

The two often flip flop between the No. 1 and No. 2 most targeted given their similarities.

“I see those two continuing to vie for the No. 1 target for years to come and don’t really see any decline on the horizon, unfortunately,” Pogue said.

Lessons From History

Cyber attacks in the retail and food industries have happened before -- look no further than Barnes & Noble, Zappos and Subway, which are among the many retailers that have faced cyber intrusions over the last few years.

In the case involving Subway and other unnamed retailers, the card data of 80,000 customers was comprised and used to make millions of dollars in unauthorized purchases from 2008 to May 2011. The hackers, all 20-something Romanian nationals, infiltrated more than 200 U.S.-based merchants’ point-of-sale systems after scanning the Internet for vulnerable POS systems.

Zappos.com, which is owned by Amazon (AMZN), admitted early last year that information from up to 24 million customers, including names, billing addresses, phone numbers, truncated credit card numbers and “cryptographically scrambled” passwords were comprised last January in a breach.

Then, in October of 2012, Barnes & Noble admitted that devices used by customers to swipe credit and debit cards in 63 of its stores were tampered with, allowing cyber criminals to capture credit card information and PIN numbers.

“Cyber criminals are really after the credit card,” said Richard Stiennon, chief research analyst at IT-Harvest. “Retailers have the information.”

Kink in the Chain

From small to large, weaknesses in the system continue to be a major hiccup for overcoming attacks. A spokesperson for the U.S. central bank last week admitted that the Federal Reserve hack occurred by “exploiting a temporary vulnerability in a website vendor product.”

Similarly, in the case involving Subway, criminals scanned the Internet for vulnerable POS systems before installing trackers on the machines that recorded any data keyed into or swiped through them.

“This is the cost of doing business,” Pogue said. Retailers “have got to come to a place where they understand that cyber threat is a real enemy that is looking to steal your money so they can monetize it on the black market.”

The National Retail Federation, the industry’s largest advocacy group that oversees thousands of retailers, declined to comment on the cyber threat.

To be fair, retailers have significantly improved their security systems over the last few years amid the onslaught of attacks and new security laws. However, with hacker tactics improving and millions of credit cards at risk of fraud, the issue remains wide-scale.

Indeed, as businesses become better equipped to fight back, cyber evildoers grow equally -- if not more -- savvy in their tactics.

“Computer security as a whole is simply not keeping up with the attackers,” Pogue said.

To give some perspective of the threat's magnitude, Trustwave determined that attacks in 2012 originated in 29 different countries, with the largest bulls eye on the U.S., which made up some 73% of total incidents.

One way retailers can fight back is to ensure there are no kinks in their system. That means keeping firewalls up to date, encrypting credit card data as soon as it enters the POS and using difficult-to-guess passwords (not Password1, which Trustwave said is used, along with other easy-to-guess passwords, 50% of the time.)

“In every case, it’s usually some kind of missed administrative step that lets these attackers in,” Pogue said. “These aren’t the most skilled hackers on the planet, things are just left open.”